{"id":22347772,"url":"https://github.com/wearetechnative/terraform-aws-kms","last_synced_at":"2026-03-19T22:29:50.873Z","repository":{"id":221478705,"uuid":"712405121","full_name":"wearetechnative/terraform-aws-kms","owner":"wearetechnative","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-14T11:14:01.000Z","size":169,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-31T12:12:36.335Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wearetechnative.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-10-31T12:08:33.000Z","updated_at":"2025-01-14T11:14:04.000Z","dependencies_parsed_at":"2024-02-08T08:20:15.370Z","dependency_job_id":"800cc244-9657-4a2f-b5a0-7e9c338b1283","html_url":"https://github.com/wearetechnative/terraform-aws-kms","commit_stats":null,"previous_names":["wearetechnative/terraform-aws-kms"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wearetechnative%2Fterraform-aws-kms","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wearetechnative%2Fterraform-aws-kms/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wearetechnative%2Fterraform-aws-kms/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wearetechnative%2Fterraform-aws-kms/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wearetechnative","download_url":"https://codeload.github.com/wearetechnative/terraform-aws-kms/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245641317,"owners_count":20648637,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-04T10:10:51.837Z","updated_at":"2026-02-27T06:02:03.376Z","avatar_url":"https://github.com/wearetechnative.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform AWS [KMS] ![](https://img.shields.io/github/workflow/status/wearetechnative/terraform-aws-kms/tflint.yaml?branch=main\u0026style=plastic)\n\nThis module implements an KMS key usable for most scenarios.\n\nUse\n[aws_kms_grant](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_grant)\nto allow least privilege to this key.\n\nThis key contains a lot of open policies by default. This is due to a\nlimitation in Terraform `aws_kms_grant`. See\n[this](https://github.com/hashicorp/terraform-provider-aws/issues/13994) issue\nas to why.\n\n[![](we-are-technative.png)](https://www.technative.nl)\n\n## How does it work\n\nGenerally you online define the `var.name` and only use\n`var.resource_policy_additions` when you use a service or resource that is not\nable to access the key using grants. It's generally not recommended to use\n`var.resource_policy_additions`. For general AWS services we include these\nservices by default into this module until\n[this](https://github.com/hashicorp/terraform-provider-aws/issues/13994) can be\nsolved using `aws_kms_grant` as well. Please UPVOTE this issue.\n\n## Examples\n\nCheck the example how to implement KMS.\n\n- with_extra_iam_user_additions, if you want to give users explicit access\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e=4.8.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |\n| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy_document.access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.guarded_roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.kms_standard_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_role.kms_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |\n| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_guarded_role_access\"\u003e\u003c/a\u003e [guarded\\_role\\_access](#input\\_guarded\\_role\\_access) | Defaults to TRUE.\u003cbr\u003eThis will create a policy that will allow all access based on principal tag landing\\_zone\\_usertype with value devops\\_administrator.\u003cbr\u003eSetting tags starting with landing\\_zone\\_ is a guarded feature in our landing zone and can only be done from the management account.\u003cbr\u003eThis setting extends the KMS so that these compliant roles are always able to access any KMS keys. | `bool` | `true` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | Unique name for KMS key and alias. | `string` | n/a | yes |\n| \u003ca name=\"input_resource_policy_additions\"\u003e\u003c/a\u003e [resource\\_policy\\_additions](#input\\_resource\\_policy\\_additions) | Additional IAM policy statements in Terraform object notation. | `any` | `null` | no |\n| \u003ca name=\"input_role_access\"\u003e\u003c/a\u003e [role\\_access](#input\\_role\\_access) | Access for regular roles. Explicitly defined to set compatibility with the move to var.guarded\\_role\\_access. Set the role name. | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"OrganizationAccountAccessRole\"\u003cbr\u003e]\u003c/pre\u003e | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_kms_key_arn\"\u003e\u003c/a\u003e [kms\\_key\\_arn](#output\\_kms\\_key\\_arn) | n/a |\n\u003c!-- END_TF_DOCS --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwearetechnative%2Fterraform-aws-kms","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwearetechnative%2Fterraform-aws-kms","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwearetechnative%2Fterraform-aws-kms/lists"}